ICMP redirect

This test checks that customers cannot send ICMP packets with redirect messages. ICMP redirect messages are intended to be used by the first-hop router to redirect hosts to a better router. A malicious user can send an incorrect redirect message to a client informing the client of a better path to the default gateway, using itself as the redirect target. Valid ICMP packets should be allowed and passed in the access switch.

Impact: MITM, DoS

Test process

Malicious and Customer each sends a valid ICMP Echo to ISP.

Malicious sends ICMP packets with a redirect message to Customer.

Fail criteria

Malicious or Customer does not receive an ICMP Echo reply from ISP.

The ICMP packets with redirect message arrive at Customer.

References

This test conforms to SEC Access Certification IDs "SEC-V4-REDIR-1" and "SEC-V4-REDIR-2" and to SAVI RFC 6959 sections 3.1.3 and 3.2.1.